# ==============================================
# Policy File of /system/bin/ipsec Executable File 

# ==============================================
# Type Declaration
# ==============================================
type starter_exec , exec_type, file_type;
type charon_exec , exec_type, file_type;
type ipsec_exec , exec_type, file_type;
type stroke_exec , exec_type, file_type;
type ipsec ,domain;

# ==============================================
# MTK Policy Rule
# ==============================================

# Date: WK14.52
# Operation : Feature developing for ePDG

# Purpose :  access xfrm 
allow ipsec proc_net:file write;

# Purpose :  set property for ip address with epdg_wod
allow ipsec mtk_wod_prop:property_service set;
allow ipsec property_socket:sock_file write;

# Purpose :  send command to epdg_wod
allow ipsec wod_ipsec_socket:sock_file write;

# Purpose :  create socket for IKEv2 protocol
allow ipsec node:udp_socket node_bind;
allow ipsec port:tcp_socket name_connect;
allow ipsec port:udp_socket name_bind;

# Purpose :  Query DNS address
allow ipsec netd:unix_stream_socket connectto;
allow ipsec dnsproxyd_socket:sock_file write;

# Purpose :   access property socket 
allow ipsec init:unix_stream_socket connectto;

# Purpose :  access socket of wod and property
allow ipsec epdg_wod:unix_stream_socket { read write connectto };

# Purpose :  output to /dev/null
allow ipsec epdg_wod:fd use;

# Purpose :  starter invoke charon
allow ipsec charon_exec:file execute_no_trans;

# Purpose :  charon set fwmark 
allow ipsec fwmarkd_socket:sock_file write;

# Purpose :  kernel ip/route operations
allow ipsec self:capability { net_admin net_bind_service dac_override kill };

# Purpose :  send/receive packet to/from peer
allow ipsec self:tcp_socket { write getattr connect read getopt create };
allow ipsec self:udp_socket { write bind create read setopt };

# Purpose :  kernel ip/route operations
allow ipsec self:netlink_route_socket { write nlmsg_write read bind create nlmsg_read };
allow ipsec self:netlink_xfrm_socket { write bind create read nlmsg_write nlmsg_read };

# Purpose :  charon/starter PID file
allow ipsec vpn_data_file:dir { write remove_name add_name search };
allow ipsec vpn_data_file:file { write create open getattr setattr read unlink };
allow ipsec vpn_data_file:sock_file { write create unlink setattr };

# Purpose :  read strongswan config file for IKEv2 Tunnel
allow ipsec wod_apn_conf_file:dir search;
allow ipsec wod_apn_conf_file:file { read ioctl open getattr };
allow ipsec wod_ipsec_conf_file:file { read ioctl open getattr };
allow ipsec wod_ipsec_conf_file:dir search;